b'NATIONAL CREDIT UNION ADMINISTRATION\n      OFFICE OF INSPECTOR GENERAL\n\n\n\n             NOTEBOOK PROCUREMENT AND\n               WINDOWS 2000 MIGRATION\n                      REVIEW\n                  Report #OIG-01-07          July 10, 2001\n\n\n\n\n                      __________________________\n                                Frank Thomas\n                              Inspector General\n\n\n\n\n          Released by:          Auditor in Charge:            Auditor:\n     William A. DeSarno          Tammy F. Rapp           Charles Funderburk\nAssistant Inspector General     Senior IT Auditor          Senior Auditor\n          for Audits\n\n   ___________________        ___________________        ___________________\n\x0c                         TABLE OF CONTENTS\n                                                                                       Page\n\nEXECUTIVE SUMMARY                                                                       i\nINTRODUCTION                                                                            1\nBACKGROUND                                                                              1\nOBJECTIVES                                                                              5\nSCOPE AND METHODOLOGY                                                                   5\nOBSERVATIONS AND RECOMMENDATIONS                                                        8\n      I. NOTEBOOK PROCUREMENT                                                           8\n            NCUA Complied with Agreed Upon Methodology for Purchasing                   8\n            Notebook Computers and Windows 2000\n            NCUA complied with Simplified Procurement Procedures in the                 8\n            procurement of notebook computers\n            NCUA complied with proper procurement policy in the procurement of the     13\n            Windows 2000 operating system\n            Lease versus purchase analysis was limited                                 14\n            Actual costs were below budget                                             14\n            2000 budget did not accurately reflect the cost of Microsoft licenses      16\n            Although equipment specifications evolved during the procurement           17\n            process, they were reasonable\n            Technical evaluation was sound                                             17\n            Vendor solicitation selection complied with policies and procedures, but   18\n            solicited vendor list was ad hoc\n            Multiple amendments to RFQ were issued                                     19\n            One day response time for BAFO                                             21\n            Internal controls over the purchase requisition process were weak          21\n            Acquisition planning hampered by time constraints                          21\n            Considerations for future replacement of notebooks                         22\n       II. WINDOWS 2000 MIGRATION                                                      24\n            NCUA was Not Exposed to Unreasonable Risks by Implementing                 24\n            Windows 2000 Early\n            CIO has authority to make decisions about architecture                     24\n            ISOC and OED were informed of impending decision to migrate to             26\n            Windows 2000\n            The benefits of migrating to Windows 2000 early outweighed the risks       27\n            The best long term option available was to migrate to Windows 2000 with    31\n            NCUA\xe2\x80\x99s new hardware\n            Project management and planning need to be enhanced                        31\n            Insufficient evidence to determine the amount and level of testing         33\n            performed\n            The contingency plan to revert back to NT was questionable                 35\n            NCUA rolled out an early release of a commercial version of Windows        36\n            2000 \xe2\x80\x93 this early release was the same as the public release on February\n            17, 2000\n            Post implementation results show no major issues                           37\nAPPENDIX \xe2\x80\x93 Simplified Procurement Policy and Procedures                                39\n\x0c                        EXECUTIVE SUMMARY\nNCUA\xe2\x80\x99s January 2000 notebook computer procurement and migration to\nWindows 2000 Professional (Windows 2000) required significant agency\nresources. NCUA senior management was interested in a review of the\nnotebook procurement and Windows 2000 migration risks, a nd the OIG viewed\nthis as an opportunity to present lessons learned and provide recommendations\nfor improvement in a recurring event.\n\nThe OIG\xe2\x80\x99s review focused on the activities surrounding the 2000 notebook\nprocurement process and Windows 2000 migration decisions. The review\nincluded inquiry of personnel, document review and analysis, and limited testing.\n\nThis review contained two major objectives. The first was to determine what\nmethodology was used to acquire new computers and Windows 2000 and\nwhether this methodology was followed; and the second objective was to\ndetermine if the agency was exposed to unreasonable risks by implementing an\noperating system before it was commercially available.\n\n NCUA COMPLIED WITH AGREED UPON METHODOLOGY FOR\n PURCHASING NOTEBOOK COMPUTERS AND WINDOWS 2000\nThe Board approved Simplified Procurement Procedures for the notebook\nprocurement. The OIG determined that the agency substantially complied with\nSimplified Procurement Procedures, as well as NCUA policies and procedures\nand NCUA\xe2\x80\x99s unofficial Methodology for Acquisition of New Computers & Printers.\nThe agency purchased Windows 2000 off GSA schedule, which was deemed\ncompliant with NCUA policies and procedures. It is important to emphasize that\nactual costs incurred for the notebooks and associated hardware were\napproximately $2 million less than budgeted. The OIG identified many other\nstrengths including NCUA\xe2\x80\x99s evaluation of equipment and vendors; and obtaining\nquotes from several sources. In addition, the Information Systems Oversight\nCommittee (ISOC) was heavily involved in the notebook procurement process,\nincluding approval and presentation to the Board. This report also notes some\nareas where NCUA needs to strengthen planning and documentation.\n\n   NCUA WAS NOT EXPOSED TO UNREASONABLE RISKS BY\n          IMPLEMENTING WINDOWS 2000 EARLY\n\nThe OIG determined that the agency implemented an early copy of Windows\n2000 that was obtained directly from Microsoft in December 1999 and was the\nsame release placed on store shelves in February 2000. There were risks with\nimplementing Windows 2000 prior to its general use in the industry. However,\nthose risks were not unreasonable and many steps were taken to mitigate some\nof the risks.\n\n\n\n                                                                                    i\n\x0cAlthough the CIO is responsible for the agency\xe2\x80\x99s architecture as defined in the\nClinger-Cohen Act of 1996 and the CIO\xe2\x80\x99s position description, NCUA\xe2\x80\x99s CIO\ninformed the ISOC and the Office of Executive Director (OED) of his impending\ndecision to migrate from Windows NT 4.0 to Windows 2000. The CIO identified\nthe benefits of Windows 2000 and took action to mitigate some of the risks of\nearly adoption. The upgrade to Windows 2000 was inevitable, so the CIO\nweighed the options of adopting Windows 2000 with our new hardware,\nupgraded office automation software and examination system versus waiting to a\nlater date. The OIG was informed that if Windows 2000 was not available to\nmeet our training schedule, our contingency plan was to continue with the NT\nplatform. There was insufficient evidence to support that NT was a viable\ncontingency plan. In addition, there was insufficient documentation to determine\nthe level of testing performed. However, the post implementation results indicate\nthat there were no significant issues with our migration to Windows 2000.\n                                \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\nThe OIG made 22 specific recommendations regarding lease analysis, budget\nestimates, shopping GSA schedule, improvements in vendor listing, compressed\ntime frames, improved project planning and documentation.\n\n\n\n\n                                                                                ii\n\x0c                            INTRODUCTION\nThe National Credit Union Administration (NCUA) Office of Inspector General\n(OIG) performed a review of the Compaq notebook computer (notebook)\nprocurement and Windows 2000 implementation for the following reasons:\n\n   1. The notebook computer procurement required extensive agency monetary\n      resources.\n   2. The implementation of new agency computers, upgraded operating\n      system, upgraded Office suite, and upgraded automated credit union\n      examination program was a major effort requiring extensive agency\n      resources.\n   3. NCUA senior management informed the OIG of their interest in such a\n      review.\n   4. Technology is always evolving, and a review would offer the opportunity to\n      present lessons learned and provide recommendations for improvement in\n      a recurring event.\n\n\n                             BACKGROUND\nHISTORY\n\nIn 1987, NCUA first purchased personal computers for examiner staff. These\nwere Toshiba T3100 portable computers running DOS based programs and\nACES, the agency\xe2\x80\x99s first generation automated examination program. In 1988,\nthe agency purchased IBM PS/2 desktop computers for staff working in an office\nsetting. The agency kept these respective computers in service for eight years.\nThese machines were upgraded at least once during this time frame.\n\nIn 1995, the agency purchased IBM ThinkPad 755C notebooks to replace the\nToshibas. The DOS operating system was also replaced by Microsoft Windows\n3.11 and ACES was replaced by the agency\xe2\x80\x99s second-generation automated\nexamination program, AIRES. The agency kept these respective computers in\nservice for five years. These computers were upgraded at least once during this\ntime frame. The agency purchased Hewlett-Packard desktop computers with\nWindows NT 4.0 in 1996, and the remaining ThinkPads were upgraded to NT 4.0\nby the end of 1997. The agency kept these machines in service for four years.\n\nOn June 8, 1999 the NCUA former Executive Director (ED) reestablished the\nISOC. The ISOC was charged with developing a charter consistent with an\nInformation Technology (IT) strategic planning process. On August 12, 1999, the\nISOC held their first meeting. New agency computers and commercial off the\nshelf software (including the Windows 2000 operating system) were discussed at\nthis meeting.\n\n\n\n                                                                               1\n\x0cOn October 6, 1999 the NCUA Board approved the leasing of notebooks for all\nagency staff and participating state examiners. On December 17, 1999 the\nagency initiated a purchase order in the amount of $6,544,224 for a three-year\nlease of notebooks. In 2000, the agency implemented Compaq Armada M700\nnotebooks running Windows 2000 operating system, Office 2000, and loaded\nwith the agency\xe2\x80\x99s third generation automated examination program, AIRES. For\nmore information representing the significant events surrounding the notebook\nprocurement and Windows 2000 migration you will find a detailed timeline in the\nScope and Methodology section.\n\nPROCUREMENT POLICY AND PROCEDURES\n\nAccording to the NCUA Rules and Regulations, Part 790, the following is a\ndescription of the NCUA organization as it relates to IT procurements:\n\n   \xe2\x80\xa2   The NCUA is managed by the NCUA Board;\n   \xe2\x80\xa2   The Office of Executive Director (OED) translates Board policy into\n       workable programs, delegates responsibility for these programs to\n       appropriate staff members, and coordinates activities of senior executive\n       staff. The ED is otherwise to be privy to all matters within senior executive\n       staff\xe2\x80\x99s responsibility;\n   \xe2\x80\xa2   The Office of Administration (OA) is responsible for contract management,\n       contracting and procurement;\n   \xe2\x80\xa2   The Office of Chief Financial Officer (OCFO) is responsible for budgetary\n       matters;\n   \xe2\x80\xa2   The Office of Examina tion and Insurance (E&I) formulates standards and\n       procedures for the examination and supervision of Federally Insured\n       Credit Unions;\n   \xe2\x80\xa2   The Office of General Counsel (OGC) has overall responsibility for all\n       legal matters affecting NCUA;\n   \xe2\x80\xa2   The Office of Training and Development (OTD) is responsible for the\n       training and development of NCUA staff;\n   \xe2\x80\xa2   The Office of Chief Information Officer (OCIO) manages and administers\n       NCUA information resources; develops, maintains, operates and supports\n       information systems, which directly support the agency\xe2\x80\x99s mission.\n\nNCUA procurement policies and procedures are provided via NCUA Instruction\n1770.11 dated August 9, 1994. Instruction 1770.13, dated May 28, 1999\nmodifies and clarifies Instruction 1770.11 regarding procurement planni ng.\nBelow is a synopsis of NCUA\xe2\x80\x99s procurement policies and procedures:\n\n   \xe2\x80\xa2   The Director of the Office of Administration is the agency\xe2\x80\x99s contracting\n       officer. The OA Director signs all agency procurement documents,\n       manages and implements the agency procurement program. The ED has\n       overall responsibility for the agency\xe2\x80\x99s procurement program;\n\n\n\n                                                                                  2\n\x0c   \xe2\x80\xa2   The agency will establish streamlined acquisition procedures and obtain\n       goods and services necessary to accomplish the agency\xe2\x80\x99s mission at fair\n       and reasonable prices;\n   \xe2\x80\xa2   The goal is to obtain the \xe2\x80\x9cbest value\xe2\x80\x9d;\n   \xe2\x80\xa2   GSA mandatory supply schedules will be the agency\xe2\x80\x99s primary source for\n       supplies;\n   \xe2\x80\xa2   The agency is not subject to the Federal Acquisition Regulations (FAR)\n       and Federal Information Resource Management Regulation (FIRMR);\n   \xe2\x80\xa2   The agency will use competitive acquisition procedures to the maximum\n       extent practical;\n   \xe2\x80\xa2   Needs will be stated in functional terms and solicitation will clearly disclose\n       evaluation factors other than price;\n   \xe2\x80\xa2   Advanced acquisition planning means coordinating efforts of all personnel\n       responsible for an acquisition through a comprehensive plan for fulfilling\n       NCUA\xe2\x80\x99s needs in a timely manner and at a reasonable cost;\n   \xe2\x80\xa2   Acquisition planning formally begins with a purchase requisition of\n       statement of work, but must begin far in advance of that in order to obtain\n       proper funding approval, determine contract requirements obtain proper\n       clearances and coordinate with other affected offices. Acquisition\n       planning is required for procurements over $100,000 unless an\n       emergency or written justification;\n   \xe2\x80\xa2   A request for quotation (RFQ) means an informal bidding procedure for\n       specifically described supplies, services or property;\n   \xe2\x80\xa2   Brand name procurements require written justification and if over\n       $100,000 require Executive Director approval;\n   \xe2\x80\xa2   Special items approvals required for IT acquisitions over $100,000 are:\n       Ethics Officer for long term contracts; OGC for legal sufficiency; OCIO for\n       hardware or software; OTD for training; ISOC to ensure goods are\n       appropriate for the agency\xe2\x80\x99s strategic plan;\n   \xe2\x80\xa2   The general procurement process is advance planning; purchase\n       requisition preparation by office of primary interest (OPI), special items\n       approval, OPI coordination, RFQ, contract officer preparation time,\n       technical evaluation, negotiations, preparation of contract;\n   \xe2\x80\xa2   The two major procurement methods used by NCUA are: Simplified\n       Procurement Procedures and Formal Procedures.\n\nSimplified Procurement Procedures (as defined by NCUA and referred to in the\nFAR Part 13) are used for limited open market competition or existing\ngovernment contracts for non-complex procurements under $100,000 or for\nCommercial Off The Shelf (COTS) supplies which cost less than $5 million.\nProcurement planning is still required for procurements over $100,000.\n\nSimplified Procurement Procedures as described in the FAR, Part 13 were\nestablished as a test program to reduce administrative cost, improve\nopportunities for small and disadvantaged vendors, promote economy and\nefficiency in contracting and avoid unnecessary burdens on agencies and\n\n\n                                                                                    3\n\x0ccontractors. Procurements from $2,500 to $100,000 are set aside for small\nbusiness concerns. Simplified procurement procedures are not to be used for\nprocurements over $5 million. There are no specific mandatory procedures\ndescribed in order to implement simplified procurement procedures. Contracting\nofficers will promote competition to the maximum extent possible, establish\ndeadlines for submission of responses to solicitations that afford suppliers a\nreasonable opportunity to respond, consider all timely quotations, inspect items\nreceived, include related items such as small hardware items in one solicitation,\nevaluate quotes impartially and on the basis established in the solicitation.\nContracting officers are given broad discretion in evaluation procedures, formal\nevaluation plans, establishing competitive ranges, conducting vendor\ndiscussions, and scoring quotes. Documentation is to be kept to a minimum.\n\nAccording to the General Services Administration (GSA), GSA Federal supply\nschedule items are considered to be fair and reasonable. Best value is\ndetermined as a trade-off between cost and technical requirements. Using GSA\nSchedule is considered to be full competition.\n\nBUDGET IMPACT\n\nDuring the 1999 Budget cycle, a request for notebooks for all agency staff was\ndenied for several reasons, including Y2K considerations. On February 23,\n1999, as a result of the denied funding, OCIO put in a special request for funding\nin the amount of $225,000 for new machines to test AIRES.\n\nOn October 6, 1999, the Board approved $9.38 million for a 36-month lease for\n1570 portable computers, 100 desktop computers, 400 docking stations, and\n1570 printers/scanners via a Board Action Memorandum (BAM).\n\nOn November 18, 1999, the Board approved the 2000/2001 budget, which\nincluded new notebooks, printer/scanners, docking stations as previously\napproved on October 6, 1999, with a total estimated cost of $9.38 million and an\nannual cost of $2,612,500. Additional costs directly and indirectly related to the\ncompute r upgrade were:\n\n   \xe2\x80\xa2   Regional conferences and AIRES training at a cost of $1,186,000;\n   \xe2\x80\xa2   Purchase of 80 computer monitors at a cost of $40,000;\n   \xe2\x80\xa2   Contract staff for computer configuration distribution at a cost of $100,000;\n   \xe2\x80\xa2   IBM notebook maintenance of $125,000;\n   \xe2\x80\xa2   Microsoft licenses with an estimated cost of $600,000 to be depreciated\n       over two years with an annual cost of $300,000.\n\nOn November 16, 2000, the Board approved the budget for 2001/2002, which\nincluded the annual lease costs for the notebooks, printer/scanners and docking\nstations in the amount of $1,843,547. The 2001/2002 budget also included an\nannual expense of $380,000 for Microsoft licenses.\n\n\n                                                                                     4\n\x0c                                OBJECTIVES\nThe objectives of the Office of Inspector General\xe2\x80\x99s review were to:\n\n   \xe2\x80\xa2   Determine what methodology was used to acquire new computers and\n       Windows 2000 and whether this methodology was followed; and\n   \xe2\x80\xa2   Determine if the agency was exposed to unreasonable risks by\n       implementing a new operating system platform before it was commercially\n       available.\n\n\n                   SCOPE AND METHODOLOGY\nOur review focused on the activities surrounding the 2000 notebook procurement\nprocess and Windows 2000 migration decisions. Our review included inquiry of\npersonnel, document review and analysis, and limited testing.\n\nBelow is a listing of some of the review procedures we performed:\n\n   \xe2\x80\xa2   Prepared a timeline of significant related events from 1998 through 2000;\n   \xe2\x80\xa2   Interviewed over 30 people, including NCUA board members, Regional\n       Directors (RD), Associate Regional Directors (ARD), managers, ISOC,\n       staff, Microsoft, GSA, and vendors;\n   \xe2\x80\xa2   Reviewed management reports;\n   \xe2\x80\xa2   Reviewed documents provided by ISOC Chair and ISOC Members;\n   \xe2\x80\xa2   Reviewed project plans;\n   \xe2\x80\xa2   Reviewed status reports;\n   \xe2\x80\xa2   Reviewed AIRES test database;\n   \xe2\x80\xa2   Reviewed procurement files;\n   \xe2\x80\xa2   Reviewed BAM, October 6, 1999;\n   \xe2\x80\xa2   Reviewed agency procurement policy and procedures;\n   \xe2\x80\xa2   Reviewed FAR and GSA schedule guidelines;\n   \xe2\x80\xa2   Reviewed RFQ, Best and Final Offer (BAFO) and related vendor\n       proposals;\n   \xe2\x80\xa2   Reviewed contracts;\n   \xe2\x80\xa2   Reviewed purchase orders;\n   \xe2\x80\xa2   Reviewed industry articles and literature;\n   \xe2\x80\xa2   Reviewed Microsoft license types;\n   \xe2\x80\xa2   Reviewed budgets;\n   \xe2\x80\xa2   Reviewed OTD documentation;\n   \xe2\x80\xa2   Reviewed project post mortems;\n   \xe2\x80\xa2   Reviewed agency inventory records; and\n   \xe2\x80\xa2   Performed limited testing of machine specifications.\n\n\n\n\n                                                                                   5\n\x0cThis review was a challenge because we had to go back in time to a point where\ndecisions were made without the benefit of today\xe2\x80\x99s hindsight. We used as much\ninformation that was available at the time of the decision. Due to limited\ndocumentation, we had to place greater reliance upon testimonial evidence to\nform our conclusions. In some instances, different opinions, lack of memory, or\ninconsistent responses complicated our analysis and conclusions.\n\nWe performed this review from September 2000 through April 2001.\n\nThe Office of Inspector General conducted this review in compliance with\ngenerally accepted government auditing standards.\n\n\n\n\n                                                                              6\n\x0c MAJOR EVENTS SURROUNDING THE NOTEBOOK PROCUREMENT AND\n                 WINDOWS 2000 MIGRATION\n\n11/98:                  Notebook unapproved for 1999 budget\n3/22/99:                Procure IBM test machines\n6/99                    OCIO became aware that Windows 2000 could be an option for new\n                        hardware in 2000\n8/2/99                  ADT begins Aires 2000/Windows 2000 beta/Office 2000 testing\n8/5/99                  OTIS Update reflected Windows 2000/AIRES testing\nLate Aug/Early Sep      OCIO begins testing Windows 2000 beta\n1999\nSep 1999                Mgmt Report noted testing of Windows 2000 beta with AIRES for\n                        possible use in next generation notebook\n9/3/99                  Notebook specifications approved\n10/1/99:                Procure four differing test notebooks\n10/6/99:                Board authorized notebook procurement/leasing\n10/6/99:                OTD issues RFP for notebook/AIRES training\n10/29/99                Hotel proposals due\n11/8/99:                Executive Director approves training hotel/site selection\n11/9/99:                Notebook test machine evaluation\n11/10/99                TDG notebook evaluation results provided to ISOC\n11/16/99:               Training hotel contract signed\n11/16/99:               Notebook RFQ issued\n11/18/99:               2000 budget approved, including lease for notebooks\n11/22/99:               First response date for notebook RFQ\n11/24/99:               Notebook RFQ response date extension\nLate Nov/Early Dec 99   Firm decision to go with Windows 2000\nDec 1999                Windows 2000 more stable than NT\n12/1/99:                Began discussions with final three competing vendors for notebooks\n12/6/99:                BAFO proposal issued\n12/7/99:                BAFO responses due\n12/7/99:                Purchase order issued for training hotel\n12/10/99                All applications must be modified and ready for NT 4/Office 2000\n12/13/99:               Technical capability evaluation of final three notebook vendors\n12/15/99                Windows 2000 RTM Available\n12/16/99:               Notebook procurement legal and ethical reviews performed\n12/16/99:               Executive Director approval for notebook procurement\n12/17/99:               Purchase order issued for notebooks\n12/24/99                NCUA received Windows 2000 RTM\nJan 00:                 Notebook receipt begins\nJan 00                  Compaq notebooks, AIRES, Windows 2000 (final platform) tested\n1/18/00:                Purchase order issued for leasing of printers/scanners\nJan/Feb 00              Notebook distribution begins\n2/7/00-2/18             Final user testing with lock down\n2/17/00                 Windows 2000 available on store shelves\n2/20/00:                Train the trainers session held\n2/23/00:                Purchase order issued for desktop computers\n3/16/00                 Purchase order issued for Microsoft Licenses\n3/16/00:                Notebook and AIRES training begins\n6/9/00:                 Notebook and AIRES training ends\n6/19/00                 First Regional Conference \xe2\x80\x93 San Antonio\n\n\n\n\n                                                                                             7\n\x0c           Section 1: NOTEBOOK PROCUREMENT\n           OBSERVATIONS & RECOMMENDATIONS\n\n\n NCUA COMPLIED WITH AGREED UPON METHODOLOGY FOR\n PURCHASING NOTEBOOK COMPUTERS AND WINDOWS 2000\nOur first objective was to determine what methodology was used to acquire new\ncomputers and Windows 2000 and whether this methodology was followed. The\nBoard approved Simplified Procurement Procedures for the notebook\nprocurement. We determined that the agency substantially complied with\nSimplified Procurement Procedures, as well as NCUA policies and procedures\nand NCUA\xe2\x80\x99s unofficial Methodology for Acquisition of New Computers & Printers.\nThe agency purchased Windows 2000 off GSA schedule, which was deemed\ncompliant with NCUA policies and procedures. See Section II for a detailed\ndiscussion of NCUA\xe2\x80\x99s migration to Windows 2000. It is important to emphasize\nthat actual costs incurred for the notebooks and associated hardware were\napproximately $2 million less than budgeted. We identified many other strengths\nincluding NCUA\xe2\x80\x99s evaluation of equipment and vendors.\n\nWe also noted some areas where NCUA needs to strengthen planning and\ndocumentation. We made specific recommendations regarding lease analysis,\nbudget estimates, shopping schedule, improvements in vendor listing, and\ncompressed time frame.\n\n\n\n NCUA Complied with Simplified\n Procurement Procedures in the\n procurement of notebook computers\n\nAUTHORIZATION of PROCUREMENT METHODOLOGY\n\nOn October 6, 1999 the NCUA Board approved the procurement of Tier 1\nnotebooks for all agency staff to be leased over a three-year time frame. The\nBoard also approved the use of simplified acquisition procedures for this project.\nIn addition, the Board waived the $5 million threshold ceiling for simplified\nprocurement procedures, per the FAR.\n\nAccording to the October 6, 1999 Board Action Memorandum approved by the\nBoard, the justification for use of simplified procurement procedures stated:\n\n   \xe2\x80\xa2   There is no development or customization involved in this procurement\n       since the agency was acquiring commercial, off the shelf products on a\n       fixed price basis\n\n\n\n                                                                                 8\n\x0c   \xe2\x80\xa2   The agency planned to place an order against an existing government\n       contract, thus offering no risk for protest\n   \xe2\x80\xa2   The agency will compare several different contracts to determine best\n       value and offer an element of competition\n   \xe2\x80\xa2   If the agency did not approve these procedures, the agency may not be\n       able to meet the projected schedule for implementation\n\nThe agency procured commercial off the shelf\nnotebooks on a fixed priced basis. However,\nthere was some customization to the standard\nlease entered into via the SEWP evidenced by\nan NCUA initiated lease addendum for OEM\nmemory, custom inventory tagging, NCUA\xe2\x80\x99s\ndelivery schedule, on-site next -day-turnaround\nwarranty, and return of leased equipment.\n\nThe agency placed an order against an existing\ngovernment contract via a NASA SEWP contract. However, the request for\nquotes did not list this as a requirement. And, while two vendors submitted open\nmarket quotes, neither of these vendors was selected for contract award.\n\nThe agency compared several vendors\xe2\x80\x99 government contract proposals via the\nRFQ process. In addition, the agency asked for Best and Final Offers from the\nthree lo west quotes per the RFQ process.\n\nThe agency proposed to establish a fixed deadline for notebook distribution of\nJune 2000.\n\nIn addition to following simplified procurement procedures, additional\nprocurement policy and procedures were listed as part of the October 6, 1999\nBAM and accompanying package:\n\n   \xe2\x80\xa2   ISOC reviewed types of hardware available on the market;\n   \xe2\x80\xa2   Methods of paying for machines;\n   \xe2\x80\xa2   Maintenance and support options;\n   \xe2\x80\xa2   Expectations for length of service for new hardware; and\n   \xe2\x80\xa2   Options for delivering and training staff on a new computing platform.\n   \xe2\x80\xa2   Machines will be distributed to staff prior to June 2000.\n   \xe2\x80\xa2   AIRES test group will test machines.\n   \xe2\x80\xa2   Hotel contracts (for delivery and training) cannot be signed until we are\n       certain about computer and software delivery.\n\nThe ISOC reviewed the results of testing for four types of notebooks on the\nmarket on November 9, 1999. The ISOC reviewed lease vs. purchase options.\nWe were unable to determine conclusively what maintenance and support\noptions were reviewed. A life cycle analysis was performed by a third party and\n\n\n                                                                                   9\n\x0creviewed by the ISOC. Options for delivery and training of staff were prepared\nby OTD and communicated to the ISOC. An AIRES test group tested four sample\ntest machines on November 9, 1999 and communicated its results to the ISOC.\nThe hotel contract for notebook and AIRES training was signed on November 16,\n1999. On that same date, the first Request for Quotes for the notebooks was\nmailed. However, a decision of which operating system to install had not been\nfinalized, and the agency automated examination program to be installed on the\nnew notebooks was still undergoing testing.\n\nSIMPLIFIED PROCUREMENT PROCEDURES\n\nSimplified Procurement Procedures impose a ceiling for the acquisition of\nsupplies with an aggregate amount not exceeding $5 million. In addition,\nsimplified procurement policy does not apply if the agency can meet its\nprocurement requirements using required sources of supply and Federal Supply\nSchedule contracts.\n\nThe NCUA Board waived the simplified procurement ceiling of $5 million via the\nOctober 6, 1999 BAM, due to the justification of time and scheduling constraints\nfor notebook and AIRES training. If the agency had to cancel training, which was\nscheduled to begin in March 2000 for field staff, the cancellation penalty could\nhave been as high as $495,698 (per the November 16, 1999 signed contract).\n\nThe purchase orders for the BAM approved desktop computers and\nprinters/scanners did not use simplified procurement procedures but did use\nFederal Supply Schedule Contracts (the same lease SEWP contract as the\nnotebook procurement). Our review of these two purchase order files found no\nevidence that other Federal Supply Schedule contracts were reviewed for a lower\ncost alternative. While this is not a requirement, searching the supply schedule\ncan sometimes produce a lower cost. In addition, we did not review and could\nnot ascertain, how the brand name product was determined for the\nprinter/scanners other than it is OCIO policy to procure same brand equipment\nand this brand was the previous brand printer used by field staff.\n\nBasically, Simplified Procurement Procedures allow the contracting officer broad\ndiscretion in fashioning suitable evaluation procedures and encourage a\nminimum of documentation. Nonetheless, the contracting officer must determine\nthat the proposed price is fair and reasonable. See Appendix A for a more\ndetailed review of Simplified Procurement Policy and Procedures.\n\nThe NCUA Office of General Counsel opined to us verbally that the agency\ncomplied with Simplified Procurement Procedures for the notebook procurement.\nAdditionally, the NCUA Ethics Officer found no improprieties and the OGC found\nthe procurement to be legally sufficient.\n\n\n\n\n                                                                             10\n\x0cWe concur with OGC\xe2\x80\x99s conclusions and offer the following observations on our\nreview of the notebook procurement.\n\nThe agency established an evaluation plan whereby technical and pricing issues\nwere considered. In addition, a competitive range was used, vendor discussions\nwere held, a nd vendor quotations were scored.\n\nThe agency determined that the awarded contract was fair and reasonable by\nusing an existing SEWP government contract. The procurement file\ndemonstrated that technical and cost considerations were used in awarding the\ncontract, showed the number of offers received and demonstrated the basis of\nthe award decision.\n\nThere was no evidence to indicate that the agency solicited quotations on the\nbasis of personal preference or restricted solicitations to suppliers of well-known\nand widely distributed makes or brands.\n\nThe agency promoted competition by issuing an RFQ and BAFO. Through this\nprocess, the agency used an effective innovative process and obtained a\nquantity discount. Transportation charges were included in the solicitation and\nquotations appeared to be evaluated in an impartial manner. The equipment was\ninspected upon receipt. We corroborated this via an independent analysis of the\ncomputer components received and verified the receipt of quantity of items\nordered. We found evidence that no reasonable offer was rejected.\n\nThe original RFQ and subsequent amendments did not notify the vendors that\nthe award was being evaluated on technical and price considerations. However\nthe BAFO did notify the final three bidding vendors that the agency had a slight\npreference (technical) for the Compaqs over the IBMs solicited, but that this\nfactor was less important than price. The RFQ was sent to twelve potential\nvendors and the BAFO was sent to the final three (based on competitive range)\nvendors. Per agency procurement files, the award was to be based upon 75%\ntechnical and 25% price. The agency established an original deadline for\nsubmission for the RFQ of six days. This deadline was extended two days,\napparently at the request of one vendor. The BAFO response time was one day.\nAccording to agency senior staff, this time frame was considered reasonable. All\nvendor quotations received by the established due dates were considered.\nHowever, one RFQ proposal received five days after the stated response time\nwas still considered. In addition, two of the three BAFO responses were received\none day late and both were considered. In fact, the contract was awarded to one\nof these vendors who submitted a late proposal.\n\nThe agency did not include related computer items in the RFQ/BAFO solicitation.\nDesktop computers and printer/scanners for staff were approved for leasing\nalong with the notebooks via the October 6, 1999 BAM. These items were\nprocured later as an attachment to the awarded vendor lease. Since this leasing\n\n\n\n                                                                                 11\n\x0ccontract was an already competed SEWP contract, the agency was in\ncompliance with procurement policy and procedures.\n\nThe purchase order issued for the notebooks was on a fixed price basis,\nspecified the q uantity, and provided delivery dates. We also noted that NCUA\ninspected the goods upon acceptance.\n\nOTHER PROCUREMENT PROCEDURES\n\nAttached, as an addendum to the October 6, 1999 BAM was a document titled,\n\xe2\x80\x9cMethodology for Acquisition of New Computers & Printers at NCUA\xe2\x80\x9d. This\ndocument describes eleven steps that primarily relate to the strategic decision\nmaking process, but also apply to the procurement planning process. These\neleven steps are as follows:\n\n   1. Analysis of Needs\n   2. ISOC Approval of Initiative\n   3. Market Survey of Product Offerings\n   4. Budget Approval\n   5. Testing/Evaluation of Top Tier Machines\n   6. Third Party Technical Review\n   7. Procurement Process\n   8. Analysis of Alternative Acquisition Strategies\n   9. Pre-procurement Review by ISOC\n   10. Implementation and Distribution\n   11. Post-implementation Review\n\nTo the best of our knowledge, the above referenced \xe2\x80\x9cMethodology for Acquisition\nof New Computers & Printers at NCUA\xe2\x80\x9d was never officially adopted as official IT\nprocurement policy. In addition, it is unclear if this was the procurement\nmethodology, which the NCUA Board approved as a description of the specific\nsimplified procurement procedures to be followed. However, it appears that\nNCUA substantially complied with all of the eleven steps above with the following\nminor exceptions:\n\n   \xe2\x80\xa2   There is no written documentation that a Third Party Technical Review\n       was performed. However, senior management indicated that this review\n       was performed via a telephone conversation with an independent IT\n       consulting firm. Subsequent to this review, OCIO management provided\n       us with handwritten notes from the third party review.\n   \xe2\x80\xa2   Implementation costs and additional maintenance costs (additional\n       warranty coverage) were not presented to the NCUA Board at the October\n       6, 1999 BAM meeting. However, implementation costs were provided\n       during the 2000 budget process, which was approved in November 1999.\n       In addition, the option of having additional warranty coverage may not\n       have been known at the time of the October 6 th BAM meeting.\n\n\n\n                                                                                12\n\x0cOther NCUA prescribed procurement policies and procedures, per NCUA\nInstructions 1770.11 and 1770.13:\n\n   \xe2\x80\xa2   Acquisition planning required for procurements over $100,000.\n   \xe2\x80\xa2   Brand name procurements require written justification and if over\n       $100,000 require Executive Director approval.\n   \xe2\x80\xa2   IT acquisitions over $100,000 require Ethics officer approval for long term\n       contracts; OGC approval for legal sufficiency, OCIO approval, OTD\n       approval for training, and ISOC approval to ensure appropriateness for\n       agency\xe2\x80\x99s strategic plan.\n\nAcquisition planning was performed, although it appeared to begin too late in the\nprocess and was hampered by self imposed time constraints (scheduled\ntraining). The former Executive Director approved the notebook procurement,\napproved a brand name waiver and approved a Commerce Business Daily\nadvertising requirement waiver. The agency Ethics officer, OGC, OCIO, OTD\nand ISOC all approved the acquisition.\n\nRecommendation:\n  1. Clearly define agency procurement policy and procedures. We suggest\n     the NCUA procurement instruction(s) be merged with simplified\n     procurement procedures that are applicable to NCUA. If the IT acquisition\n     methodology is intended for all IT acquisitions, it should be incorporated\n     into NCUA procurement policy and procedures.\n\n       OA and OED agreed with this recommendation. OA has been working\n       with OGC rewriting NCUA Procurement Policies and Procedures manual.\n       The draft manual will be distributed for comments, and OA anticipates\n       finalizing the manual by October 31, 2001.\n\n\n\n NCUA Complied with Proper                      In March 2000, the agency\n Procurement Policy in the                      purchased an enterprise\n Procurement of the Windows 2000                agreement for Microsoft licenses\n Operating System                               (including Windows 2000, Office\n                                                2000, etc.) from a GSA schedule\nvendor. By using a GSA schedule vendor for this procurement, the agency was\nin compliance with procurement policies and procedures of obtaining a fair and\nreasonable price and in compliance of obtaining full and open competition.\nAlthough NCUA was in compliance by purchasing licenses from the GSA\nschedule, we encourage the agency to shop the schedule for future purchases\nand support their decision to select a particular vendor.\n\n\n\n\n                                                                                13\n\x0c Lease versus Purchase Analysis can          Per the BAM of October 6, 1999,\n be Improved                                 the budget impact for a 36-month\n                                             lease of equipment was:\n\n             1570 portable computers @$4700       $7,379,000\n             1570 printers/scanners @$400            628,000\n             400 docking stations @$500              200,000\n             100 desktop computers @$2300            230,000\n                   TOTAL                          $8,437,000\n                   Interest                          941,362\n                   TOTAL (operating and Ins fund) $9,378,362\n\nLease versus purchase options were considered during the BAM presentation.\nPrimary justifications were to even out cash flows and establish a three-year\nreplacement cycle for notebooks. The dollar difference calculated was less than\n$100,000 between a 36-month lease and a cash purchase of the notebooks.\nHowever, the BAM presented attachment did not provide for the interest rate\nassumptions used for the leasing imputed interest rate or the interest rate used\nfor the time value of money. In addition, financing a purchase was not\nconsidered as an option during the BAM presentation. Information concerning\nthe interest rate assumptions was not contained in the final BAM; however, it was\ndocumented and discussed with the ISOC and NCUA Board, according to OCFO\nand OED.\n\nPer OED, since it was determined that an outright purchase of the laptops was\nnot in the best interests of NCUA, no lengthy discussion of borrowing funds from\na third party to purchase the laptops was considered.\n\nWe also determined that the estimated cost per notebook of $4,700 was\nreasonable, based upon the prices paid for four test machines by the agency.\n\nRecommendation:\n  2. Whenever leasing versus purchasing options are reviewed, all options\n     (such as financing a purchase) should be considered. In addition, leasing\n     versus purchase options should be considered at the point of solicitation\n     of actual quotations in order to compare actual purchase versus actual\n     leasing costs.\n\n      OED agreed with this recommendation.\n\n\n Actual Costs were below Budget               The October 6, 1999 BAM\n                                              provided an estimated budget\nimpact of $9,378,362 over a three-year period. The agency spent substantially\nless for the listed equipment, than was budgeted. The table below shows the\n\n\n\n\n                                                                                14\n\x0cestimated equipment costs per the BAM (including interest assumed) and actual\ncosts incurred.\n\nITEM                           BUDGETED PER BAM                  ACTUAL COSTS\nNotebooks                              $8,202,315                    $6,367,920\nDocking Stations                          222,315                       130,176\nPortable Printers                         698,069                       554,268\nDesktop Computers                         255,663                       187,980\nLaser Jet Printers                                                       73,662\nMice                                                                     13,248\nKeyboards                                                                32,880\nMonitors                                                                 41,442\nTOTAL                                      $9,378,362                $7,401,576\n\nHowever, only the notebooks, docking stations, mice and keyboards were\nsolicited for competition via the RFQ process with a purchase order being issued\non December 17, 1999. These actual costs equated to $6,544,224 of the\n$7,401,576.\n\nThe portable printers and laser jet printers were not included in the RFQ\nsolicitation. They were procured by attaching to the same awarded government\ncontract as the notebooks with a purchase order issued on January 18, 2000 in\nthe amount of $627,930. We researched current costs for like printer scanners\nand discovered among four Federal Supply Schedule vendors that prices varied\nfrom $195 to $288 per machine. The agency only procured 1,300 portable\nprinters versus the 1,570 that were budgeted after agency needs were\nreevaluated. In lieu of 270 portable printers, NCUA purchased 134 laser jets.\n\nThe desktop computers and monitors also were not solicited via the RFQ\nprocess with the notebooks. They too, were procured by attaching to the\nawarded SEWP contract by issuing a purchase order on February 23, 2000 in\nthe amount of $229,422. Monitors were budgeted in the 2000 budget for a cash\npurchase of $40,000 for 80 monitors. The agency actually procured 23 monitors\nwith a 36-month lease cost of $41,442. Although these acquisitions were in\ncompliance with procurement policy and procedures, the agency may have been\nable to get further price reductions via the RFQ process as was done with the\nnotebooks.\n\nThe following are additional items listed in the 2000 Capital Acquisition Budget,\nwhich were not present in the BAM.\n\n      Printer, copier, fax scanner       $ 7,302        annual lease exp\n      Contract staff configuration        100,000       cash exp, depr 3 yrs\n      80 computer monitors @ $500          40,000       cash exp, depr 3 yrs\n\n\n\n\n                                                                                    15\n\x0cThe 2000 budget included additional leased printers/copier/fax (number of items\nwere not listed in the budget), contract staff configuration for computer\nimplementation and monitors, which were not presented to the Board at the\nOctober 6, 1999 BAM, in the annual amount of $147,302. This equates to a\nthree-year total cost of $161,906.\n\nRecommendations:\n  3. Whenever a procurement is solicited for bid, all related goods or services\n     should be part of that solicitation to take advantage of solicitation price\n     discounts.\n\n       OED and OA agreed with this recommendation. The contracting officer\n       will ensure that this is done in future acquisitions of this nature.\n\n   4. Although not required, we suggest that whenever the agency procures\n      goods or services via federal government schedule or contract, that at\n      least three federal government schedule/contract vendors be reviewed for\n      \xe2\x80\x9cbest value\xe2\x80\x9d.\n\n       OED and OA agreed with this recommendation. According to OA, this will\n       be incorporated in the revised procurement manual.\n\n\n 2000 Budget did not Accurately                OCIO\xe2\x80\x99s 2000 budget submission\n Reflect the Cost of Microsoft Licenses        did not accurately reflect the total\n                                               costs of MS licenses. OCIO\npresented $600,000 as a one -time fee for MS license renewal in the FY 2000\nbudget. OCIO incorrectly presented their 2000 budget for these licenses and it\nwas subsequently corrected in 2001. When we discussed this issue with OCIO\nmanagers, they did not recall the specific events around the 2000 budget item,\nnor could they provide support for those estimates. In the fiscal year 2000\ncapitalized acquisitions budget, OCIO presented software licenses for 1000\nemployees as a one -time fee of $600,000 cash outlay to be depreciated over 2\nyears, with an annual cost of $300,000. There was no budget item in the\ninsurance fund for these licenses. In the FY 2001 budget, OCIO presented\n$380,000 as an annual expense for licenses.\n\nIn March 2000, the agency purchased an enterprise agreement from a GSA\nschedule vendor. The purchase order presented was for 1500 licenses with a\ntotal cost of $379,680. The purchase order did not disclose that the enterprise\nagreement was a three-year commitment with equal annual payments. Actual\nexpenses were $379,680 per year, with a three-year commitment totaling\n$1,139,040. Since the licenses were purchased off GSA schedule this was\nconsidered fair, reasonable and competed.\n\n\n\n\n                                                                                  16\n\x0cRecommendation:\n  5. NCUA Offices should fully document all items presented in their budget\n     proposals and maintain this documentation for future reference.\n\n       OED and OCIO agreed with this recommendation. According to OCIO,\n       after submission of OCIO\xe2\x80\x99s budget request, they identified a more\n       beneficial licensing strategy for the agency. Since it was within the overall\n       budget for the project, and in consultation with OCFO, OCIO\n       recommended purchase of a three-year license to run concurrent with the\n       notebook lease. This license provided more benefits to the agency at a\n       lower overall cost. OCIO will provide better documentation during the next\n       licensing cycle.\n\n\n Although Equipment Specifications             The October 6, 1999 BAM had as\n Evolved during the Procurement                an attachment a September 3,\n Process, they were Reasonable                 1999 document providing minimum\n                                               computer specifications. We\nbelieve that these specifications appear thorough and reasonable for staff usage\nover a three-year term. However, it is somewhat unclear how these minimum\nspecifications were derived.\n\nIn interviews with OCIO staff, they indicated they were consulted on the\nspecification requirements. It was unclear if this was a minimum specification list\nor a \xe2\x80\x9cwish list\xe2\x80\x9d. There is no documented evidence that an analysis was performed\nto determine minimum equipment requirements. However, the CIO told us he\ndeveloped the specifications based on his experience and knowledge.\n\nOne of the requirements was to select Tier 1 equipment. Tier 1 is referred to as\nhigh quality equipment. Interviews with OCIO staff disclosed varying definitions\nof Tier 1 manufacturers. Although not all Tier 1 machines were selected for\ntesting, the four machines selected by OCIO were considered Tier 1.\n\nThe RFQ was amended at least three times. The types of changes to\nspecifications included such things as notebook weight, hard drive size, type of\ndiskette drive, evolving definition of \xe2\x80\x9cidentical components\xe2\x80\x9d, and type of warranty.\nBecause two months elapsed between the BAM and the RFQ, it is possible that\nsome changes to specifications resulted from more current research of\nequipment needs, and/or discussions on availability of equipment, and options\nwith vendors. While the changes in the specifications appear reasonable, there\nis no documentation in the procurement file to support these changes.\n\n\n                                               The agency procured four different\n Technical Evaluation was Sound                models of test machines. A user\n                                               test group evaluated each of these\n\n\n\n                                                                                  17\n\x0cfour test machines based on pre-established criteria developed by OCIO. The\nmachines were tested using test scripts and scoring was performed. The scores\nwere combined and ratings provided on each machine. These results were\nprovided to the ISOC. Two makes were close in scoring but clearly ahead of\nother two makes. It was these two makes, which were solicited via the RFQ\nprocess and used as the basis for the solicitations technical evaluation. This\nprocess was well documented and provided an excellent source for procurement\ntechnical evaluation scoring.\n\nDuring the solicitation process, three vendors were selected to compete via the\nBAFO process. Prior to that process, OCIO staff visited the sites of all three final\nvendors to determine, their capabilities to meet o ur needs. A written report of\nthese observations was prepared and presented to the ISOC. It was determined\nthat all three vendors could meet our requirements but there were distinct\ndifferences of that ability described in the report. We believe that this evaluation\nwas an excellent idea and presented well. However, we were unable to\nascertain, how it was used in the evaluation process of vendors.\n\nAgency staff met with the final three vendors to gain further clarification of the\nrequirements of the procurement and capabilities of the vendors. NCUA staff in\nattendance, included OGC, ISOC, OA, OCFO, and OCIO. The use of a\nconsistent list of questions and topics for all three vendors was an excellent way\nto conduct the discussions. Various NCUA attendees were asked for comments\nor additional questions on December 1, 1999 for the meetings held that day and\nthe next. Questions from NCUA staff regarded mostly leasing terms. The\nprepared list of topics discussed were:\n\n   \xe2\x80\xa2   How vendors will meet the requirement of identical machines;\n   \xe2\x80\xa2   Guarantee of delivery schedule with loading of custom NCUA software;\n   \xe2\x80\xa2   Experience of vendor;\n   \xe2\x80\xa2   Explain how maintenance support will work, what is available, cost, and\n       non-performing machines;\n   \xe2\x80\xa2   Windows 2000 license rebate.\n\nRecommendation:\n  6. When vendor capability is a factor in selection, clearly determine how the\n     weight of the equipment evaluation and vendor capability evaluation will\n     be scored for the technical evaluation portion of the award determination.\n\n       OA agreed with this recommendation. The contracting officer will ensure\n       that this is documented in future acquisitions of this nature.\n\n\n Vendor Solicitation Selection                 The agency obtained a sufficient\n Complied with Policies and                    number of vendors to solicit and\n Procedures, but Solicited Vendor List         the process was in compliance with\n was ad hoc\n\n                                                                                 18\n\x0cprocurement policy and procedures. However, the selection of vendors to solicit\nwas ad hoc. OA and OCIO staff were asked to provide vendor names to solicit.\nIn response to this request, 12 vendors were identified for the RFQ process.\n\nAccording to the October 6, 1999 BAM it was stated tha t NCUA was to procure\nusing Federal supply schedule or existing government contracts for the notebook\nprocurement. At least two vendors submitted open market quotes. Although,\nthere is a GSA schedule search for leasing companies in the procurement file, it\nappears that this list was not used. In addition, this GSA search list was\ngenerated on November 16, 1999, the day of the apparent first RFQ release.\nThere is no evidence that the agency performed a search for \xe2\x80\x9cequipment\xe2\x80\x9d\nvendors via a GSA schedule or existing government contract.\n\nRecommendation:\n  7. Whenever the agency plans to procure from a federal schedule or federal\n     contract, appropriate vendor listings should be obtained from a search of\n     GSA schedule and contract vendors.\n\n      OED and OA agreed with this recommendation. The contracting officer\n      will ensure that this is documented in plans for acquisitions of this nature\n      in the future.\n\n\n                                                While there is nothing wrong with\n Multiple Amendments to RFQ were\n                                                having multiple amendments in the\n Issued\n                                                RFQ process, this could be a\nreflection of the compressed time frame that the agency was operating within to\nmeet its self-imposed deadline for training. Multiple amendments also increase\nthe risk of providing inconsistent information to all eligible vendors.\n\nThe agency obtained a listing of twe lve vendors to solicit for quotes on both IBM\nand Compaq notebooks. The RFQ asked for business classification (small,\ndisadvantaged, etc,) and type of quote (open market, GSA schedule, etc.).\n\n\n\n\nThe first RFQ noted in the file was dated November 16, 1999. However there is\nno evidence to indicate that this version was sent to any vendors. The next RFQ\nin the file was dated November 17, 1999 with response date of November 22,\n\n\n                                                                                 19\n\x0c1999. The file indicates it was sent to ten vendors. A second RFQ dated\nNovember 17, 1999 was in the file with a response date of November 22, 1999.\nThe file indicates that this version was sent to nine vendors. A third RFQ dated\nNovember 17, 1999 with a response date of November 24, 1999 (apparently to\nmeet the request of one vendor) was sent to twelve vendors, per the\nprocurement file documentation. One response was received on November 29,\n1999. This vendor was selected as one of the final three vendors to solicit for\nfurther competition via the BAFO process.\n\nIn one amendment, the OCIO sent RFQ changes to OA on November 19, 1999.\nQuotes on leasing terms came to NCUA in various forms: per machine, monthly\npayments, quarterly payments, and leasing factor to use on purchase price. Two\nvendors had noted in their quotations, \xe2\x80\x9cstill working on operating system rebate\xe2\x80\x9d.\nWe found no evidence in the procurement file or upon inquiry as to whether\nNCUA received or did not receive a rebate. However, it does appear that the\nfinal three vendors selected for BAFO solicitation were reasonable.\n\nThe procurement file contained three Excel spreadsheets listing vendor\nquotations. We were unsure of the use of each spreadsheet. However it is\napparent that they were used to compare vendor quotations to arrive at the final\nthree vendors for the BAFO solicitation. Each spreadsheet contained some price\nquote differences. One spreadsheet had eight vendors listed. We were unable\nto trace five of the quotes listed to vendor documentation in the file for the\nCompaq PIII. The second spreadsheet also had eight vendors listed, yet we\nwere unable to trace six vendor quotes to vendor documentation in the file for the\nCompaq PIII. The third spreadsheet listed seven vendor quotations and four of\nthese quotes could not be traced to the vendor documentation i n the PO file for\nthe Compaq PIII.\n\nVendor responses were inconsistent in format and response to requirements. As\nstated earlier, two vendors did not have government pricing but had open market\nquotations, and two vendors had delivery terms as FOB origin, while the\nremaining vendors quoted via FOB destination.\n\nRecommendation:\n  8. NCUA should document support for modifications to RFQs and maintain\n     accurate records identifying dates and destinations of all procurement\n     correspondence to ensure that all vendors receive the same information.\n\n      OED and OA agreed with this recommendation. According to OA, the\n      tight time frames cause haste, which resulted in incomplete\n      documentation. However the ISOC should and the contracting officer will\n      ensure adequate time frames are established for future acquisitions of this\n      nature.\n\n\n\n\n                                                                               20\n\x0c                                                The BAFO was sent to the final\n One Day Response Time for BAFO                 three vendors on December 6,\n                                                1999 with a response date of\nDecember 7, 1999. However, it should be noted that vendor discussions were\nheld on December 1 st and 2nd. Two responses to the BAFO were received on\nDecember 8, 1999, with one of those vendors being awarded the contract. Two\nof three vendors had a \xe2\x80\x9cBAFO\xe2\x80\x9d letter in file with no documentation in the file that\nthird vendor was sent a BAFO letter. The lowest bidder was awarded the\ncontract.\n\nOf the three BAFO quotes received, the awarded vendor\xe2\x80\x99s quote went down\nslightly, the other two increased significantly. Per one vendor, they were unsure\nof the cause, other than stating that some specifications changed. This same\nvendor also stated that RFQ response time frame was tight but reasonable.\n\nRecommendation:\n  9. If an extension is granted on response time, all vendors should be notified\n     of this extension.\n\n       OED and OA agreed with this recommendation. The contracting officer\n       will ensure that this is done in future acquisitions of this nature.\n\n\n Internal Controls over the Purchase            An OCIO staff person who, by\n Requisition Process were Weak                  coincidence, offered three vendor\n                                                names that ended up being the\nfinal three vendors in the BAFO competition prepared the purchase requisition for\nthe notebooks. In addition, the \xe2\x80\x9cship to\xe2\x80\x9d instructions on the purchase order\nprovided this staff person\xe2\x80\x99s name as the person to receive the goods\n(notebooks).\n\nRECOMMENDATION:\n  10. We recommend that NCUA ensure appropriate segregation of duties is\n      maintained during major procurements.\n\n       OED, OA, and OCIO agreed with this recommendation. According to OA\n       and OCIO, the subject employee did not have any involvement in\n       establishing the competitive range or making vendor selection.\n\n Acquisition Planning Hampered by             Although there was significant\n Time Constraints                             planning involved in the\n                                              procurement of the notebooks, we\nbelieve that it was hampered by training schedule time constraints.\n\nOriginally, the OCIO proposed to procure notebooks in 1999, via the 1999 budget\nprocess. Partial justification fo r the disapproval of this request was Y2K issues.\n\n\n\n                                                                                 21\n\x0cHowever, the OCIO did obtain permission in March of 1999, to obtain computers\nfor the testing of the ARIES program and pending notebook replacement\nsometime in the future.\n\nPer the October 6, 1999 BAM, jus tification was provided to support the use of\nsimplified procurement procedures and the waiver of the $5 million ceiling of \xe2\x80\x9cthe\nagency may not be able to meet the projected schedule for implementation\xe2\x80\x9d.\nAttached to the BAM, was an OTD memo discussing training issues and the\nneed to procure training facilities as soon as possible. On November 16, 1999\n(the date of the first notebook RFQ), the OTD signed a contract for training\nfacilities. Training for field staff was to begin in March 2000. This in effect\nimposed a deadline for the notebook and related computer training. If the\ntraining had to be canceled, it could have resulted in as much as a $495,000\npenalty.\n\nDuring the procurement process there were other indications of compressed\nplanning, due primarily to the self imposed training time frame. For instance, not\nall of the BAM approved equipment was listed in the RFQ solicitation process;\ncontract specifications evolved during the process (although these specification\nchanges appeared minor); vendor quotations came in various forms (primarily\nleasing terms); there was at least one error noted on one RFQ that was sent to\nvendors (requirement of 300 docking stations versus 400 docking stations \xe2\x80\x93 at\nleast one vendor responded with a 300 docking station quote); RFQ and BAFO\nresponse times were relatively short; OGC\xe2\x80\x99s review was late in the process; the\nrequest for name brand and CBD advertising waivers were obtained late in the\nprocess; and the procurement file was not well organized.\n\n                                                The current lease expires on April\n Considerations for Future                      30, 2003. This next notebook\n Replacement of Notebooks\n                                                procurement will differ from the\n                                                previous one. Unlike the previous\nprocurement, the next procurement will require all equipment to be returned as of\na particular date or risk paying two concurrent lease payments. NCUA must\nreturn the equipment to the NCUA central office by April 30, 2003 for lessor pick\nup. If equipment is returned late, the agency will be liable to make prorated lease\npayments.\n\nMoving from the current lease into another lease in 2003 will require extensive\nupfront planning to minimize costs and confusion. NCUA should start planning\nfor the next lease in sufficient time to address all future requirements and risks.\nWe have listed below a preliminary list of some of the considerations that NCUA\nneeds to consider in planning for its next lease:\n    \xe2\x80\xa2 How is the agency going to remove computer hard drives and store data\n        and/or software?\n    \xe2\x80\xa2 How is the agency going to transfer such information to new procured\n        equipment?\n\n\n\n                                                                                 22\n\x0c   \xe2\x80\xa2   How is the agency going to arrange erasing of leased hard drives?\n   \xe2\x80\xa2   How will the agency arrange the logistics of returning all leased equipment\n       (notebooks, docking stations, printers, desktops) to the central office,\n       procure new equipment, and keep examiners working?\n   \xe2\x80\xa2   Does the agency have adequate storage capacity at the central office for\n       all returned equipment?\n   \xe2\x80\xa2   How will the agency handle removing leased equipment from the inventory\n       system and entering new equipment in the inventory system?\n   \xe2\x80\xa2   How will the agency ensure compatibility with existing SuperDisk if new\n       hardware does not have SuperDisk drives?\n\nRecommendations:\n  11. NCUA should prepare a definitive plan for the eventual replacement of the\n      current leased computers with a new lease. This will require substantial\n      upfront planning prior to April 2003.\n\n       OED, OA, and OCIO agreed with this recommendation. According to OA,\n       the tight time frames cause haste, which resulted in incomplete\n       documentation. However the ISOC should and the contracting officer will\n       ensure adequate time frames are established for future acquisitions of this\n       nature. According to OCIO, planning has already begun for the next\n       rollout.\n\n\n   12. NCUA should consider developing a checklist to ensure compliance with\n       relevant policies and procedures.\n\n       OED, OA, and OCIO agreed wi th this recommendation. According to OA,\n       the tight time frames cause haste, which resulted in incomplete\n       documentation. However the ISOC should and the contracting officer will\n       ensure adequate time frames are established for future acquisitions of this\n       nature. OCIO will work with OA to develop a checklist.\n\n\n\n\n                                                                               23\n\x0c            Section II: WINDOWS 2000 MIGRATION\n           OBSERVATIONS & RECOMMENDATIONS\n\n   NCUA WAS NOT EXPOSED TO UNREASONABLE RISKS BY\n          IMPLEMENTING WINDOWS 2000 EARLY\n\nOur second objective was to determine if the agency was exposed to\nunreasonable risks by implementing Windows 2000 prior to its general release\nand use by the IT community. We determined that the agency implemented an\nearly copy of Windows 2000 that was obtained directly from Microsoft in\nDecember 1999 and was the same release placed on store shelves in February\n2000. We determined that there were risks with implementing Windows 2000\nprior to its general use in the industry, however, those risks were not\nunreasonable and many steps were taken to mitigate some of the risks.\n\nAlthough the CIO is responsible for the agency\xe2\x80\x99s architecture as defined in the\nClinger-Cohen Act of 1996, NCUA\xe2\x80\x99s CIO informed the ISOC and OED of his\nimpending decision to migrate from Windows NT 4.0 to Windows 2000. The CIO\nidentified the benefits of Windows 2000 and took action to mitigate some of the\nrisks of early adoption. The upgrade to Windows 2000 was inevitable, so the\nCIO weighed the options of adopting Windows 2000 with our new hardware or\nwaiting. Although there was insufficient documentation to determine the level of\ntesting performed, the post implementation results indicate that there were no\nsignificant issues with our migration to Windows 2000.\n\nAs a result of our review, we identified several areas where the OCIO should\nimprove project planning and documentation and made appropriate\nrecommendations.\n\n CIO has Authority to Make Decisions           Both the Clinger-Cohen Act of\n about Architecture                            1996 and NCUA\xe2\x80\x99s CIO position\n                                               description indicate that the CIO\nhas the authority to make decisions about the agency\xe2\x80\x99s architecture. Clinger-\nCohen mandated the position of chief information officer (CIO) in executive\nagencies and departments and defined the general responsibilities of the CIO.\nThese responsibilities included designing and managing the agency\xe2\x80\x99s\narchitecture and determining any changes necessary. Clinger-Cohen defines\narchitecture as \xe2\x80\x9c\xe2\x80\xa6an integrated framework for evolving or maintaining existing\ninformation technology and acquiring new information technology\xe2\x80\xa6\xe2\x80\x9d In addition,\nNCUA\xe2\x80\x99s CIO position description states the CIO is responsible for the information\nresources management program, and determining which aspects of available\nand emerging technology best fit the needs of the agency. The General\nAccounting Office\xe2\x80\x99s Executive Guide GAO-01-376G, Maximizing the Success of\nChief Information Officers, describes the responsibilities of effective CIOs. CIOs\n\n\n\n                                                                               24\n\x0c\xe2\x80\x9c\xe2\x80\xa6also centrally manage architectures and a core set of infrastructure\ncomponents to provide common IT services to the entire corporation. The\ncorporate CIO works with \xe2\x80\xa6 other information managers in each of the business\nunits to ensure efficient, reliable, and interoperable technology for the entire\ncorporation.\xe2\x80\x9d 1\n\nAs stated above, the Clinger-Cohen Act of 1996 invests the CIO with\nresponsibility for implementing a sound and integrated information technology\narchitecture for the agency. The position description for what is now designated\nthe CIO position within NCUA 2, which was amended on November 11, 1996, to\ninclude CIO duties as a result of Clinger Cohen, reiterates this responsibility.\nAlthough Clinger-Cohen\xe2\x80\x99s reach does not, in a strictly legal sense, extend to\nNCUA, the observance of the \xe2\x80\x9cbest practices\xe2\x80\x9d 3 principle makes it incumbent upon\nNCUA to consider the responsibilities set forth under Clinger-Cohen. In\nimplementing Windows 2000, the CIO abided by both the responsibilities set\nforth in the Act, as well as in his position description. Moreover, in accordance\nwith Part 790 of NCUA rules and regulations, the CIO informed the ISOC and the\nOffice of the Executive Director (OED) of his impending decision to migrate from\nWindows NT 4.0 to Windows 2000.\n\nThe ISOC was reestablished on July 15, 1999, without a charter, and their\nresponsibilities were not clearly defined. Interviews of the former ED and former\nDED indicated that the intent of the reestablished ISOC was to have oversight of\nmajor IT investments. The ISOC\xe2\x80\x99s main focus from July 1999 through March\n2000 was to oversee the $9.38 million purchase of hardware that included\nnotebooks for all agency employees. There was a consensus among most\nISOC members that although the CIO is ultimately responsible for the\narchitecture, major technology decisions impacting the agency should be\npresented to the ISOC. ISOC members agreed that they wanted to be informed\nabout any major IT decisions. However, they had differing opinions on who\nshould make the decision about technical issues such as the agency\xe2\x80\x99s\narchitecture, including the operating system. Many of the ISOC members did not\nfeel comfortable making these types of decisions due to their lack of technical\nknowledge and felt the CIO was better positioned for this type of decision. Most\nboard members and the former OED felt decisions regarding operating systems\nshould be made by either by the ISOC or CIO.\n\n    Recommendation:\n    13. The agency head should clearly define the roles and responsibilities of all\n        key personnel in relation to information systems. All key personnel should\n        be informed of their responsibilities and have sufficient authority to\n\n1\n  GAO Report #GAO-01-376G, Maximizing the Success of Chief Information Officers\n2\n  Agency Position No. 9774.\n3\n  In the area of information technology, \xe2\x80\x9cbest practices\xe2\x80\x9d are defined as techniques that agencies,\nas well as private industry, may use to ensure reliable, timely access to information as well as\neffective management of information technology resources.\n\n\n                                                                                                25\n\x0c      exercise the role and responsibility assigned to them. Specifically, the\n      ISOC needs a charter with clearly defined responsibilities and\n      accountabilities, and the CIO\xe2\x80\x99s responsibilities and accountabilities need\n      to be clearly defined to help manage expectations and performance. All\n      key personnel should indicate their acknowledgement of such\n      responsibilities and accountabilities.\n\n      Although the CIO agreed with this recommendation, it was noted that\n      defined responsibilities must be consistent with the legal constraints of\n      Clinger-Cohen.\n\n\n ISOC and OED were Informed of                  Regardless of who has the\n Impending Decision to Migrate to               authority to make decisions to\n                                                change or upgrade operating\n Windows 2000\n                                                systems, the decision regarding\n                                                the migration to Windows 2000\nwas made after informing the ISOC and OED. The ISOC and OED were aware\nof the discussions to upgrade to Windows 2000, and there were no dissenting\nopinions. Although we determined that the ISOC and OED were informed of the\nimpending decision to migrate to Windows 2000 through management reports\nand meetings, it was not clear what level of information was presented.\n\nThe ISOC was informed in late Summer/Early\nFall 1999 about the possibility of proceeding with\nWindows 2000 and that testing results would\ndetermine whether we go with Windows 2000 or\nstay with NT. We interviewed all ISOC members\nand they had differing recollections of specific\ndiscussions surrounding Windows 2000. The\nISOC Chairman and Director of E&I stated that\nthe Director of E&I had considerable influence in\nthe decision to migrate to Windows 2000 due to his responsibility for AIRES. The\nDirector of E&I felt it was a good decision to go with Windows 2000 with our new\nhardware rather than wait. Some ISOC members felt they were fully informed of\nthe risks and benefits, while other members would have preferred more\ninformation. Unfortunately, the minutes of ISOC meetings were not adequate to\ndetermine what specific information was presented. Further discussion with\nformer OED and some ISOC members revealed that they did not ask enough\nquestions or relied on the CIO to make the appropriate decision.\n\nDocumentation in the management and quarterly reports issued by the CIO show\nthat there was a possibility of migrating to Windows 2000, but they did not\nindicate specific reasons for our potential upgrade. The OTIS Update August 5,\n1999, reflected that we were testing AIRES with Windows 2000 and Office 2000.\nThe management report distributed in September 1999, noted we were testing\nWindows 2000, Office 2000, and Outlook for possible use in our next generation\n\n\n                                                                                  26\n\x0cnotebook and performing controlled testing of AIRES on a beta version of\nWindows 2000. The management report distributed in October 1999 stated that\nparallel exams were performed using upgraded computers and a beta version of\nWindows 2000. However, the documentation prepared did not reveal the specific\nrisks and benefits of migrating to Windows 2000.\n\n   Recommendations:\n   14. The ISOC Chairman should ensure that detailed minutes of all ISOC\n       meetings are maintained and distributed timely to ISOC members, OCIO,\n       OED, and OIG.\n\n      OED and OCIO agreed with this recommendation.\n\n   15. To ensure the ISOC and OED are adequately informed of major IT\n       decisions affecting the agency, the CIO should prepare a business case\n       analysis of all major information technology decisions for the ISOC and\n       OED. This documented analysis could include any of the following:\n          o   Statement of the problem to be remedied or process to be\n              improved, and how it will enhance NCUA\xe2\x80\x99s ability to achieve its\n              goals;\n          o   Risk assessment;\n          o   Cost/benefit analysis;\n          o   Options available;\n          o   Resources required,\n          o   And estimated schedule of implementation milestones.\n\n      OED and OCIO agreed with this recommendation. OCIO will improve\n      documentation during the next acquisition cycle.\n\n\n The Benefits of Migrating to Windows         Although there were risks to early\n 2000 Early Outweighed the Risks              adoption of Windows 2000, the\n                                              benefits outweighed the level of\nrisk. Windows 2000 had many improvements over Windows NT 4 such as better\nstability, enhanced security, mobile user benefits, and many other operational\nimprovements. The risk of migrating to Windows 2000 before the general\npopulation was also mitigated by Microsoft\xe2\x80\x99s level of beta\ntesting as well as NCUA\xe2\x80\x99s involvement in beta testing, the\ntiming of our hardware replacement, and training/contractor\nsupport with Windows 2000 experience.\n\nWindows 2000 was beta tested by more organizations than\nprevious versions of Windows, and beta testers generally opined that Windows\n2000 was more stable and secure than NT prior to its official release in February\n2000. Many independent reviews and tests performed by the industry support\nthese statements. Although there was much debate in the industry of when to\n\n\n\n                                                                                 27\n\x0cmigrate to Windows 2000, there was a consensus that the timing of migration\ndepends on the hardware replacement strategy. In December 1999, a well-\nrespected, independent information technology consulting firm recommended\ndeployment of Windows 2000, as part of the hardware replacement strategy and\norganizations should \xe2\x80\x9cbegin deploying new systems that ship with Windows 2000\nwithout waiting for Service Pack 1\xe2\x80\x9d. In addition, several other industry experts\nhad similar views.\n\nDuring NCUA\xe2\x80\x99s beta testing, several OC IO staff indicated they felt confident with\nWindows 2000 late fall 1999. Most OCIO staff opined that by the end of 1999 the\nbeta was more stable and provided many enhanced features over NT. The\nADT/TDG testers we interviewed also opined that the AIRES p latform was pretty\nstable at the end of 1999. However, they revealed that unforeseen problems\nwere encountered in January 2000 when we received the final AIRES platform.\n\nImproved security features include stronger out of the box security. Microsoft\nhas configured Windows 2000 so when it is installed out of the box without\n\xe2\x80\x9cflipping any switches\xe2\x80\x9d it is more secure than NT. NT required you to \xe2\x80\x9cflip the\nswitches\xe2\x80\x9d to enhance the security. This required system administrators to have\nknowledge of these configuration switches and physically \xe2\x80\x9ccheck the box\xe2\x80\x9d. In\naddition, Windows 2000 supports encryption, virtual private networks, SecurID\ntoken, and strong authentication. Virtual private networks are a secure way of\nallowing a remote user to connect to the network. NCUA plans to support virtual\nprivate networks in the future to increase the security of our platform and\nsystems. SecurID token is a feature that provides for secure remote access.\nNCUA implemented this feature with the rollout of new hardware and migration to\nWindows 2000. Windows 2000 has a feature that allows administrators to\nincrease the security of local machines by preventing users from installing\nsoftware and changing important system files. This feature also prevents users\nfrom viruses that attempt to change system settings and important system files.\nThe CIO made a policy to \xe2\x80\x9clock down\xe2\x80\x9d all agency computers with this feature.\n\nMobile user advantages in Windows 2000 include the power management\nfeature, offline files feature, and e ncryption. The power management feature\nallows you to conserve power when the computer has been inactive by turning\noff the monitor and/or hard disk. In addition, power management will put your\ncomputer in hibernation or standby after a specified period of time. You can also\nset an alarm when you battery power is getting low.\n\n\n\n\n                                                                               28\n\x0cThe offline feature allows a user to download files from the network to their\nworkstation so they can view these files while not connected to the network. This\nfeature also a llows users to make changes to these documents and synchronize\nthe document when they reconnect to the network.\n\nEncryption provides for a secure method of protecting files and data on the\nworkstation. The inherent walk-away ability of a notebook makes it highly\nsusceptible to theft. Encryption protects the data on the hard drive so\nunauthorized users cannot gain access to sensitive files and data.\n\nSome of the operational benefits include better stability, more robustness, less\nmaintenance, better control of user workstations that minimizes accidental\nconfiguration or system file changes, easier distribution of software to staff, and a\nconsistent platform across the agency.\n\nSome of the risks migrating to Windows 2000 in early 2000 were the immaturity\nof this version of the operating system, vendor compatibility, uncertainty of\ndelivery date, and staff\xe2\x80\x99s lack of knowledge in the new features of the operating\nsystem. Any potential problems with a new operating system would be revealed\nduring the first year after release. Since we implemented early, we would be\nsubject to these potential problems.\n\nWhen a new version of an operating system is released, most of the old features\nhave been streamlined and integrated with new features such as Active\nDirectory. The inherent risks found in a new operating system will primarily be\nfound within new features resulting in \xe2\x80\x9cbug\xe2\x80\x9d reporting and needed patches. The\n\n\n                                                                                  29\n\x0crisks in the new operating system will decline as the general use and reporting of\nissues increases. As users identify \xe2\x80\x9cbugs\xe2\x80\x9d, they will be fixed and applicable\npatches will be made available. Service Pack 1 was issued in July 2000 and\ncontained several patches that fixed minor issues with Windows 2000. This\nservice pack was \xe2\x80\x9cdesigned to ensure Windows 2000 platform compatibility with\nnewly released software and drivers, and contains updates that fix issues\ndiscovered by customers or via internal testing.\xe2\x80\x9d 4\n\nJust as the operating system is new and has inherent risks, hardware vendors\nmust create new drivers for the new operating system to work with their devices.\nBecause the product is so new, it is possible that the hardware vendor has not\ncreated the drivers for your specific equipment. However, if you are buying new\nequipment the odds are greater that the hardware vendor has created such a\ndriver. Also, many of the large hardware vendors work with Microsoft and have\nadvance knowledge of the new operating system, so they are ahead of the curve\nin creating the necessary drivers. Compaq worked closely with Microsoft since\n1996, and a majority of Windows 2000 code was developed and tested on\nCompaq equipment.\n\nSoftware vendors must also modify their software to take advantage of the new\nfeatures of the operating system. Just like hardware vendors, most large\nsoftware vendors work with Microsoft in the early stages of development to\ncreate software that is compatible with the operating system. If the hardware and\nsoftware vendors did not work with Microsoft, they would be behind other leading\ncompanies and would lose significant market share of their product. One\nexample of where we were affected by a software vendor not ready for the new\noperating systems is virus protection. As a result, we rolled out the notebooks\nwithout desktop virus protection. Although there was no virus protection on the\ndesktop, OCIO incorporated several mitigating controls to protect us from\npotential viruses. These controls included the lockdown, network virus\nprotection, and real-time virus scanning on the mail server.\n\nWe received Windows 2000 on December 24, 1999, the notebooks arrived in\nJanuary 2000, and the training was scheduled for March 2000. There was no\nroom for slippage in the schedule. If we did not meet the schedule in Denver, the\nagency would have lost up to $495,698 for the hotel training facility. However, if\nwe did not receive Windows 2000 by the end of the year, we would have quickly\nreverted to our contingency plan using NT so we would not forfeit the hotel\npenalty. This contingency plan is discussed further below.\n\nThere were fundamental changes in Windows 2000 that required training and\neducation to learn the new features and how to implement them effectively. Due\nto OCIO\xe2\x80\x99s lack of Windows 2000 knowledge and experience, the OCIO hired a\ncontractor to train OCIO staff and assist in setting up the configuration. This\n\n\n4\n    Windows 2000 Service Pack 1 Market Bulletin, July 31, 2000, Microsoft web site\n\n\n                                                                                     30\n\x0ccontractor also reviewed our configuration to ensure of its viability and make\nimprovements before we rolled out the system.\n\nThere were other risks that were not Windows 2000 related. These risks\nincluded the computers not ready; AIRES not ready; the hotel not ready;\nincompatibility between the new notebooks, Windows 2000, Office 2000, and\nAIRES 2000; a snowstorm in Denver preventing delivery of the equipment; key\nOCIO staff becoming ill or incapacitated before the final platform was complete.\n\n\n The Best Long Term Option Available            We had three options for migrating\n was to Migrate to Windows 2000 with            to Windows 2000 and the least\n NCUA\xe2\x80\x99s New Hardware                            disruptive and most beneficial\n                                                option to the agency was to\nmigrate to Windows 2000 in connection with our notebook replacement. Industry\nliterature indicated your migration to Windows 2000 should coincide with your\nhardware replacement strategy. In addition, interviews of agency staff and\nmanagers disclosed important details that support our early migration to\nWindows 2000. As a result of our early migration, the agency has saved\nsignificant resources and will benefit from the many enhanced features of\nWindows 2000.\n\nThe three options NCUA had with regard to\nmigrating to Windows 2000 were:\n\xe2\x80\xa2 We could migrate to Windows 2000 when we\n   received our new hardware\n\xe2\x80\xa2 Rollout NT with the new hardware, and\n   upgrade to Windows 2000 a year or so later\n\xe2\x80\xa2 Rollout NT with the new hardware, and wait for\n   our next hardware replacement three years\n   later.\n\nIf we waited a year to upgrade to Windows 2000, it would have required\nsignificant resources, both time and money, to upgrade the machines later for our\nremote population. To upgrade a computer from NT to Windows 2000, it would\nhave required an OCIO staff person to touch every computer. Upgrading an\noperating system on existing hardware is not a simple task that can be delegated\nto a user. In addition, we would have delayed the benefits of Windows 2000\nincluding better security and control. If we waited three years to migrate to\nWindows 2000, the agency would have incurred higher IT maintenance costs\nand Microsoft probably would not be supporting NT.\n\n\n Project Management and Planning               There was no one project manager\n Need to be Enhanced                           assigned to oversee the entire\n                                               effort from development through\ndistribution. Staff personnel and contractors assumed many of the\n\n\n                                                                                 31\n\x0cresponsibilities. There was a project manager that managed the logistics and\ndistribution. One key OCIO manager delegated much of their responsibility to a\ncontractor. Another key OCIO manager delegated much of their responsibility to\nstaff. The CIO was heavily involved in overseeing the entire process from\nplanning through implementation, and the Deputy CIO was involved in the\nacquisition and procurement process. A contractor and staff employee assumed\nmany of the responsibilities of the project, and without their efforts, the outcome\nof the project would have been at risk. A mitigating control was frequent\nmeetings within OCIO to discuss issues encountered and their resolution.\n\nAlthough there was a project plan for our rollout and distribution of our new\nplatform, this project plan was not detailed. The plan was missing critical steps,\ndeliverables, milestones, and identification of dependencies. We were not\npresented with any analysis of minimum requirements for Windows 2000\nmigration, analysis of each application to determine what effort was required to\nensure compliance with Windows 2000, or analysis of resources required to\nperform the various migration tasks for compliance with Windows 2000. It\nappeared that NCUA applications were not migrated to Windows 2000 until\nlate1999 due to the lack of a detailed project plan. The CIO later informed us\nthat limited resources and internal resistance also were key factors.\n\nAlthough some staff had concerns about the timing of the migration to Windows\n2000, most staff felt confident they could meet the schedule. However, there\nwas resistance from a key OCIO staff member regarding the migration to\nWindows 2000 with the notebook rollout. This resistance was presented with\narguments of why NCUA should wait. Although many reasons were presented\nfor staying with NT, very little was offered for consideration for the anticipated\nWindows 2000 migration. This internal resistance appeared to have a negative\nimpact in the migration and deployment of Windows 2000.\n\nAlthough the final configuration was documented, there was insufficient\ndocumentation regarding the control over the changing configuration and multiple\nversions on the different test machines. Since there was a lack of documentation\nregarding the configuration process, we had to rely on interviews that indicated\nuser privileges were configured inconsistently. The software version control for\nWindows 2000 had an impact on the testers in the field. These conditions\nincluded testers having different releases of Windows 2000 and different security\nlevels. Although some of this inconsistency could be attributed to timing\ndifferences with our remote staff, there was inadequate version control to ensure\nall testers and developers were using the same platform and version of\napplications. It is critical in a test environment to ensure everyone is on the same\nversion with the same configuration. Otherwise, a tester could be identifying\nbugs in an old version, or miss testing features that may be inadvertently broke in\na new version.\n\n\n\n\n                                                                                 32\n\x0cRecommendations:\n\n  16. Assign a Project Manager to major projects that has authority and\n      responsibility to ensure all critical tasks are performed, keep everyone on\n      schedule, make modifications in the plan if required, make critical\n      decisions, and resolve problems. The role of a project manager should\n      be given to a key individual with responsibility for coordinating all efforts:\n      notebook acquisitions and distribution, software development and testing\n      schedules, configuration and migration, contingency planning, and\n      delivery schedules.\n\n     OED and OCIO agreed with this recommendation. OCIO will formally\n     designate an overall project manager to the next computer renewal\n     project.\n\n  17. Develop project plans that include the steps and resources required,\n      allocation of responsibilities and authorities, priority level of each step,\n      dependency relationship between steps, critical milestones, test\n      documentation, and approval procedures. A project plan can assist in\n      estimating the effort involved and resources required to ensure the\n      successful outcome of a project, ensure all critical tasks are performed, as\n      well as give indicators when a project is slipping and needs to be modified\n      or killed.\n\n     OED and OCIO agreed with this recommendation. OCIO will enhance\n     large-scale project planning with a comprehensive project plan to include\n     these items during the next computer renewal project.\n\n  18. Monitor budgeted versus actual project milestones and costs and report to\n      senior management throughout every major project phase.\n\n     OED and OCIO agreed with this recommendation. According to OCIO,\n     they monitored project milestones and informed ISOC and agency senior\n     managers through meetings and management reports. OCIO will formally\n     report milestones to the ISOC and OED during the next computer renewal\n     project.\n\n  19. Develop procedures to ensure adequate version control and configuration\n      from the development and testing process through production.\n     OED and OCIO agreed with this recommendation. OCIO will formally\n     document version control and the configuration management process\n     during the next computer renewal project.\n\n\n Insufficient Evidence to Determine the        We were repeatedly told extensive\n Amount and Level of Testing                   testing was performed on Windows\n Performed\n                                                                                   33\n\x0c2000, however we were unable to determine the level of testing that was\nperformed because of the lack of documentation and various memory\nrecollection. Although we cannot conclude whether sufficient testing was\nperformed on the Windows 2000 platform, with a project of this magnitude the\npost rollout problems would have been more significant and frequent than we\nhad encountered if there was insufficient testing. This is not to say that we didn\xe2\x80\x99t\nhave any problems, because we did. However, the problems encountered had\nsimple workarounds or were not significant to stop work. Some of the problems\nwere difficult to isolate since we changed the hardware, operating system, Office\nversion, and AIRES simultaneously. To say the problems were primarily due to\nthe operating system would be a presumptive statement. For further discussion\nof the post rollout issues see below.\n\nThere is indication that we started field-testing the Windows 2000 beta in August\n1999. Field-testing provides many benefits because users in their environment\nuse real world examples in testing. Management reports and OCIO staff indicate\nADT/TDG were provided with new IBMs with Windows 2000 beta, Office 97, and\nAIRES 2000. Although some testers do no recall seeing Windows 2000 until\nJanuary 2000, when prompted to identify the differences in the operating system\nthey were not certain how to tell the difference between Windows NT and\nWindows 2000. There was no test documentation that indicated the platform\ntested, when it was tested, what items were tested, etc. Although E&I\nmaintained a database with the test results of bugs found in Aires 2000, there\nwas no documentation that demonstrated the features that worked properly. In\naddition, there is no documentation to support testing of other custom NCUA\napplications. Interviews indicate that developers tested the other applications,\nbut we have not seen any evidence to show what was tested, when, how, or\nwho.\n\nIn mid January 2000, testers received the new Compaqs with the final release of\nWindows 2000 and Office 2000 for final testing. All major areas of AIRES 2000\nwere working prior to the issuance of the Compaqs with the Windows 2000 RTM\nto field testers. New problems started occurring with AIRES 2000 and AIRES 16\non these computers that were not occurring on the IBM 600E test computers\nusing the Windows 2000 platform, beta version 3.\n\n   Recommendations:\n   20. Test documentation needs to be strengthened by the OCIO and the Office\n       of Primary Interest. The key aspects of testing include development of an\n       adequate test plan, execution of the test plan, and the analysis and\n       reporting of test results. The test plan should indicate the system\n       functions and cross reference them to tests designed to validate the\n       correct operation of those functions. Test results should indicate the\n       actual results and pass/fail status of those tests and relate the results to\n       the function, indicating whether it performs correctly. There should be a\n       tracking mechanism to ensure that all issues reported are resolved and\n\n\n                                                                                  34\n\x0c      retested. The test report should indicate what works and does not work,\n      as well as the test group\xe2\x80\x99s opinion on the adequacy and acceptance of the\n      system. Testers must be independent of the development process.\n      Attempting to test 100% of an application or system should never be a\n      goal, because not every feature or function of a system is worth testing.\n      Testing should be risk based and focus on all critical features of the\n      system, areas whose failure would cause the most damage and disruption\n      to the organization.\n\n      OED and OCIO agreed with this recommendation. According to OCIO,\n      they will work jointly with E&I to strengthen testing documentation during\n      the next computer renewal project.\n\n   21. All major system changes should be thoroughly tested and subject to an\n       independent review by Quality Assurance before it is introduced into the\n       production environment.\n\n      OCIO agreed with this recommendation. According to OCIO, they\n      significantly increased the amount, and improved the quality of testing on\n      this project, as demonstrated by the quality of the product distributed to\n      end users and the overall success of the entire conversion. Although\n      OCIO feels strongly about the QA process, this is a resource issue that\n      will be addressed in the OCIO budget for the next computer renewal\n      project.\n\n\n The Contingency Plan to Revert Back             We do not have any evidence to\n to NT was Questionable                          support that NT was a viable\n                                                 contingency plan. We were\ninformed that if Windows 2000 was not ready for our use in time, our contingency\nplan was to continue with the NT platform. Although OCIO management and\nstaff indicated this was the plan, they were unable to articulate what was involved\nto ensure this was a viable option. We were presented with varying opinions of\nthe steps involved, as well as the time involved to activate the backup plan\nsuccessfully. We were informed it would take anywhere from a few days to a few\nmonths to ensure sufficient testing of all applications on the NT platform. In\naddition, there was no firm date that would trigger our plan to go back to NT.\nCompounding the plan to revert to NT was that in Fall 1999 development had\nswitched to a Windows 2000 development environment due to time constraints.\nAlthough, there was indication that all programs had to be ready for a Windows\nNT 4/Office 2000 environment, there were varying degrees of skepticism that\nAIRES could be quickly reverted back to NT with all subsequent changes since\nthe switchover to Windows 2000 in Fall 1999.\n\nIn addition to the option of reverting back to NT, OCIO projected the regional\nconferences would be used for any issues that were encountered after the initial\ndistribution. With any hardware or software upgrade, you can expect there to be\n\n\n                                                                                  35\n\x0csome issues that need to be tweaked. The timing of the regional conferences\nallowed a couple of months for identification and resolution of problems. Some\nof the issues identified after the initial rollout, such as power management, BIOS\nupgrades, and minor software upgrades, were patched and resolved during the\nregional conferences. Further discussion of the post rollout issues is discussed\nbelow.\n\nRecommendation:\n  22. Prepare and document contingency plans for significant upgrades. Some\n      of the items to be considered in the plan are critical steps to be performed,\n      resources required, trigger dates, and dependencies. A well-supported\n      contingency plan should also be tested to ensure its effectiveness. A\n      contingency plan should be well documented to identify all the steps\n      necessary to have a successful backup plan. When there is a need to use\n      a contingency plan, often there is inadequate time to ensure all the\n      necessary steps are performed, and as a result some things are\n      overlooked. A well documented and communicated plan ensures that all\n      critical steps are identified and performed.\n\n      OED and OCIO agreed with this recommendation. According to OCIO,\n      the contingency plan was to stay with the current operating platform\n      (Windows NT). However, OCIO will document a formal contingency plan\n      for critical steps in the next computer renewal project.\n\n\n NCUA Rolled Out an Early Release of          We determined that NCUA rolled\n a Commercial Version of Windows              out the first available non-beta\n 2000 \xe2\x80\x93 This Early Release was the            version of Windows 2000, which is\n same as the Public Release on                called the Release to\n February 17, 2000                            Manufacturing (RTM) version,\n                                              which had limited availability prior\nto release on store shelves. The RTM was build 2195, which is the same build\nas the current commercially available product. We verified that the RTM is the\nsame product that was released on store shelves in February 2000.\n\nA beta version is a software product in process of being tested by the user\ncommunity to put the product through real world testing and flush out any bugs.\nIt is very common in the information technology field to obtain and test beta\nversions of software. This is not unique to NCUA. Many corporations and\nagencies evaluate betas in order to familiarize themselves with the product and\ndetermine whether they may want to upgrade in the future. The evaluation of a\nbeta product aids IT shops in their decision making process.\n\nWe obtained our beta version thru a developers\xe2\x80\x99 software package that we\nsubscribe to. We began testing Windows 2000 because there was a possibility\n\n\n\n\n                                                                                36\n\x0cwe could use this new and improved operating system with our approaching\nnotebook purchase.\n\nAlthough it was not certain when Windows 2000 would be released commercially\n(at the time, it was anticipated for release in October 1999), there was a strong\npossibility it would be released before we received our new hardware. Because\nof the many improvements and enhanced features in Windows 2000, the CIO\nrecognized the benefits of implementing Windows 2000 as soon as possible. It\nwas clear that the IT industry would be moving in this direction and that Windows\n2000 would be the preferred operating system of the near future. At the time we\nstarted evaluating the Windows 2000 beta, the funding had not been requested,\nhardware had not been ordered, and training had not been scheduled. NCUA\ncould not determine which operating system we would use without knowing the\nspecific timeframe involved and internal testing results of the new operating\nsystem. The CIO\xe2\x80\x99s preference was to migrate to Windows 2000 if there were\nindications of stability and availability, rather than distribute Windows NT with our\nnew hardware and a year later go through the extensive, as well as expensive,\nprocess of upgrading all the hardware to Windows 2000. The CIO had a vision\nof how Windows 2000\xe2\x80\x99s improvements would directly enhance NCUA\xe2\x80\x99s\narchitecture and reduce costs in the long run, as well as the logistical nightmare\nof upgrading users machines (majority of them remote users) from Windows NT\nto Windows 2000. An informed decision regarding the operating system could\nnot be made without evaluating the Windows 2000 beta. The beta evaluation\ngave us a head start on learning the enhancements and operations of this new\noperating system. It was late fall 1999 when the CIO felt confident that Microsoft\nwould release Windows 2000 to manufacturing by the end of the year. It was\nlate November, early December 1999 when Microsoft gave the CIO assurance\nthat they would provide NCUA with the first available copy of Windows 2000 by\nthe end of the year.\n\nThe first Windows 2000 version we placed in production was the RTM version.\nThis is the first version available after beta. According to Microsoft, this was the\nsame version that is packaged for commercial release and put on store shelves\nin Mid February. The fact that we received it two months before it hit store\nshelves does not indicate it was a different product. It takes about this long for\nthe manufacturer to mass produce CDs and documentation, package, and\ndistribute to stores. Due to the critical timing of our rollout, Microsoft provided\nNCUA with this early release at the end of December 1999. We also verified that\nthe original version of Windows 2000 Professional on our computers is the same\nversion after Service Pack 1.\n\n\n Post Implementation Results Show              There was an overwhelming\n No Major Issues                               consensus that the issues\n                                               encountered after training and\nimplementation were either insignificant or minor with workarounds. We\ninterviewed several Office Directors, RD and ARDs. Most were happy with the\n\n\n                                                                                  37\n\x0cfinal platform and indicated there were only mino r problems. Most of the people\nwe interviewed opined that the platform was more secure and stable than NT and\nmore flexible for travelers. Service Pack 1 was issued in July 2000 and had\nminor impact on NCUA issues.\n\nThere was inconsistency in the perception of problems during the first training\nsessions. One ARD from the first training session in Denver indicated there were\nonly minor problems, while other staff indicated there were more serious issues\nencountered during this training session. The AIRES project manager and\nAIRES developer indicated that most AIRES issues were resolved by the last\ntraining session in Denver.\n\nOCIO and Help Desk staff indicated post rollout issues were minor. They\nindicated there were issues with the Bios, power management, drivers, and\nlockdown. The Bios issue caused problems with the battery and Superdisk. A\nchip in the battery conflicted with the bios causing the battery to die. The solution\nwas to get a new battery or plug it in. The Superdisk would not work via the\nparallel port, however it would work in the MultiBay. There was an issue with the\npower management feature when the system was left idle. Some of the drivers\nwere not available, but the effect on NCUA was insignificant. Although the DVD\ndevice driver was not available, the DVD could still be used as CD. There were\nsome issues with printer drivers, but most of these issues were resolved by\nobtaining an alternative driver from the manufacturer. Although there was limited\ndesktop virus protection with the new notebooks, this was mitigated by real-time\nscanning on the e -mail server and network. The help desk staff indicated there\nwas a low incident rate of viruses during this period.\n\nThere has been controversy surrounding the policy to \xe2\x80\x9clockdown\xe2\x80\x9d local user\nmachines. The lockdown is recommended by Microsoft to increase the security\nof local machines. But with security, there is a price. That price is the inability of\nusers to load software, add printer drivers, and change critical system files.\n\nService Pack 1 became available in July 2000 and repaired minor issues. \xe2\x80\x9cSP1\nwas designed to ensure Windows 2000 platform compatibility with newly\nreleased software and drivers, and contained updates that fixed issues\ndiscovered by customers or via internal testing. The main areas addressed by\nthis service pack were:\n    \xe2\x80\xa2 Application and hardware compatibility\n    \xe2\x80\xa2 Windows 2000 setup\n    \xe2\x80\xa2 Operating system reliability\n    \xe2\x80\xa2 Security, including the latest updates for known Windows 2000 security\n       issues.\xe2\x80\x9d 5\n\n\n\n\n5\n    Windows 2000 Service Pack 1 Market Bulletin, July 31, 2000\n\n\n                                                                                    38\n\x0c                                                                APPENDIX\n\n        Simplified Procurement Policy and Procedures\n\n\xe2\x80\xa2   Contracting officer has broad discretion in fashioning suitable evaluation\n    procedures; and\n\xe2\x80\xa2   Formal evaluation plans and establishing a competitive range, conducting\n    discussions, and scoring quotations or offers are not required.\n\xe2\x80\xa2   Contracting officer must determine that the proposed price is fair and\n    reasonable; and\n\xe2\x80\xa2   Keep documentation to a minimum. For solicitation up to $5million, a brief\n    written description of the procedures used in awarding the contract, the\n    number of offers received, and an explanation of the basis for the contract\n    award decision; and\n\xe2\x80\xa2   Limit written records of solicitation or offers to note or abstracts to show\n    prices, delivery, references to printed price lists used, the suppliers\n    contacted and other pertinent data.\n\xe2\x80\xa2   Contracting officers shall not solicit quotations based on personal\n    preference or restrict solicitation to suppliers of well-known and widely\n    distributed makes or brands.\n\xe2\x80\xa2   Contracting officers shall promote competition to the maximum extent\n    practicable;\n\xe2\x80\xa2   Notify potential quoters or offerors of the basis on which award will be\n    made;\n\xe2\x80\xa2   Establish deadlines for the submission of responses to solicitations that\n    afford suppliers a reasonable opportunity to respond;\n\xe2\x80\xa2   Consider all quotation or offers that are timely received;\n\xe2\x80\xa2   Evaluate quotations or offers in an impartial manner, inclusive of\n    transportation charges, on the basis of established in the solicitation, and\n    consider all quotations or offers;\n\xe2\x80\xa2   Use innovative approaches, to the maximum extent practicable, in\n    awarding contracts using simplified acquisition procedures;\n\xe2\x80\xa2   Comply with policy relating to economic purchase of quantities, when\n    practicable;\n\xe2\x80\xa2   Satisfy procedures with respect to Certificates of Competency before\n    rejecting a quotation from a small business concern determined to be\n    nonresponsible;\n\xe2\x80\xa2   Provide for the inspection of supplies.\n\xe2\x80\xa2   Contracting officers should include related items (such as small hardware\n    items) in one solicitation;\n\xe2\x80\xa2   Make maximum effort to obtain trade and prompt payment discounts\n\xe2\x80\xa2   Maintain a source list of small businesses, small disadvantaged\n    businesses and women-owned small businesses.\n\xe2\x80\xa2\n\n\n                                                                             39\n\x0c                                                                 APPENDIX\n\n\n\xe2\x80\xa2   Standing prices may be used if pricing is current and the agency obtains\n    the benefit of maximum discounts before award.\n\xe2\x80\xa2   Purchase orders are generally on a fixed price basis for the acquisition of\n    commercial items;\n\xe2\x80\xa2   Specify the quantity of supplies;\n\xe2\x80\xa2   Contain a determinable delivery date;\n\xe2\x80\xa2   Provide for inspection and acceptance of goods.\n\n\n\n\n                                                                              40\n\x0c'